MS11-044: JIT compiler issue in .NET Framework

Today we have released MS11-044 to address CVE-2011-1271, a remote code execution vulnerability in the .NET framework. Here we would like to provide more technical information about this vulnerability and why we believe this issue to be unlikely to be exploited.

This root cause of CVE-2011-1271 is that there was a bug in the JIT compiler which would cause it to mistakenly determine that a given object is always null (or non-null) and would omit certain checks.

For example:

                                     if ((value == null || value == new string[0]) == false)
00000027  test        esi,esi               ; value == null?
00000029  je          00000075 
0000002b  xor         edx,edx               ; new string[0]
0000002d  mov         ecx,6D913BD2h 
00000032  call        FFD20BC8 
00000037  cmp         eax,esi               ; value == new string[0]?
00000039  je          00000075 
                    Console.WriteLine("Post-check Value is: " + value);
0000003b  mov         ecx,dword ptr ds:[03532090h]  ; "Post-check value is: "
00000041  xor         edx,edx               ; Wrong here.
00000043  call        6D70B7E8              ; String.Concat()
00000048  mov         esi,eax               ; 
0000004a  call        6D72BE08              ; get Console.Out
0000004f  mov         ecx,eax 
00000051  mov         edx,esi 
00000053  mov         eax,dword ptr [ecx] 
00000055  call        dword ptr [eax+000000D8h]     ; Console.WriteLine()

At offset 0x41, the optimizer has incorrectly concluded that value will always be null so it directly passes a null to String.Concat().

For CVE-2011-1271, the JIT compiler can introduce a logic flaw when running C# or IL code sequences very similar to those describe above. Depending on the .NET application’s business logic, if the NULL check (or non-NULL check) is used to make a security decision, for example the check of certain credentials, and if the attacker controlled data may leverage directly or indirectly this missing logic and gain advantages based on this, then there is a possibility of remote code execution.  However, we do not believe this to be a common case for the majority of deployed .NET applications.

Special thanks to Reid Borsuk in .NET team.

Fermin Serna and Chengyun Chu, MSRC Engineering